This is an old revision of the document!
Activemq
General Information
ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol.
Official Site: http://activemq.apache.org/
Checklist
- Distro(s): CentOS 7
Install
Installing ActiveMQ.
- Install Java pre-req.
yum install java-1.8.0-openjdk
- Install ActiveMQ tarball into /opt/ (5.15.3 example)
wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt
- Symlink for a version agnostic path (5.15.3 example)
ln -s /opt/apache-activemq-5.15.3/ /opt/activemq
- Service file
- CentOS 7: Create systemd service file
vim /etc/systemd/system/activemq.service [Unit] Description=activemq message queue After=network.target [Service] PIDFile=/opt/activemq/data/activemq.pid ExecStart=/opt/activemq/bin/activemq start ExecStop=/opt/activemq/bin/activemq stop User=root Group=root [Install] WantedBy=multi-user.target
- Reload systemd daemon
systemctl daemon-reload
Configure
Configuring ActiveMQ.
- Update admin and user passwords
vim /opt/activemq/conf/jetty-realm.properties
- Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports
/opt/activemq/conf/activemq.xml <transportConnectors> <transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256&maximumConnections=1000&wireFormat.maxFrameSize=104857600"/> </transportConnectors>
- Append SSL options to environment file
echo -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env
- HTTPS on the web console
vim /opt/activemq/conf/jetty.xml <bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector"> <constructor-arg ref="Server" /> <constructor-arg> <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <property name="keyStorePath" value="${activemq.conf}/broker.ks" /> <property name="keyStorePassword" value="activepw!" /> </bean> </constructor-arg> <property name="port" value="8162" /> </bean>
- After verifying above https works, disable (comment out or delete) http web console Connector
vim /opt/activemq/conf/jetty.xml <!-- <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector"> <constructor-arg ref="Server" /> <property name="host" value="#{systemProperties['jetty.host']}" /> <property name="port" value="#{systemProperties['jetty.port']}" /> </bean> -->
Verify
Verify the above configured settings.
Web console
-
- Check protocols and ciphers
sslscan --no-failed ip.address.goes.here:8162
- Ensure insecure web portal is not reachable via: http://ip.address.goes.here:8161
Transport
- Check secure transport port
nc -i 3 -vw 3 ip.address.goes.here 5671 sslscan --no-failed ip.address.goes.here:5671
- Ensure insecure transport port is not reachable
nc -i 3 -vw 3 ip.address.goes.here 5672